----------  Database Role  ----------

A Role generally refers to a title or a set of duties, which is a named bundle
of zero or more privileges. It is created and dropped using Standard SQL state-
ments.

Compared to user, it is either an actual person or an application program that
has access to SQL-data. Users are outside schemas. The methods used to create,
drop  and  map  it  to actual person/application  programs are implementation-
defined. Empress doesn't provide special commands to create, drop and map user.

Following ANSI SQL99, Empress supports "create role", "grant role", "revoke
role" and "drop role" commands.

The syntax for "create role" command is:

    create role ROLE;

The "create role" statement specifically defines ROLE to be a Role rather than
a User. This ROLE cannot be a defined user in the database schema, such as
dba, user, PUBLIC etc.

The syntax for "grant role" command is:

    grant ROLE {, ROLE } to GRANTEE {, GRANTEE } [ WITH ADMIN OPTION ]
 
The "grant role" statement grants the use of one or more ROLEs to one or more
GRANTEEs, including (possibly) PUBLIC. The grantor of the ROLEs must, of course,
hold these ROLEs as grantable ROLEs (that is, WIRG ADMIN OPTION).

The option WITH ADMIN OPTION clause defined grantable ROLES.

The syntax for "revoke role" command is:

    revoke [ ADMIN OPTION FOR ] ROLE {, ROLE } FROM GRANTEE {, GRANTEE }
                           { RESTRICT | CASCADE }

The "revoke role" statement revoke the use of one or more ROLEs from one or
more GRANTEEs.

The ADMIN OPTION FOR clause allow grantor to revoke only the grantability of
a ROLE.

If the revoke role statement specifies CASCADE, the revoke succeeds - and it
cascades down to revoke and roles that would otherwise be abandoned.
If the revoke role statement specifies RESTRICT, the revoke succeeds only if
the role being revoked has no dependent roles.

The syntax for "drop role" command is:

    drop role ROLE;

Only creator of ROLE can drop it. For each user/role, it was granted use of
the role, RDBMS will call the following revoke.

    revoke ROLE from GRANTEE restrict.

For further information on display role information, enter:

                help display;
